On Mon, Oct 21, 2013 at 10:22:05PM +0300, Deniss wrote: > >Show all related logging from process 21730. >
> Oct 21 21:35:01 box postfix/smtp[19887]: > warning: TLS library problem: 19887:error:1408F10B: > SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: > Oct 21 21:35:01 box postfix/smtp[19887]: > 9057812402F: to=<s...@co.inbox.lv>, > relay=mail.co.inbox.lv[195.13.218.205]:25, > delay=0.05, delays=0.01/0.01/0.03/0, dsn=4.4.2, status=deferred > (lost connection with mail.co.inbox.lv[195.13.218.205] while sending MAIL > FROM) This is closer. We see that the TLS handshake succeeded, but then the TLS connection was lost during "MAIL FROM". This reeks of the Window 3DES bug, but you don't show logging of TLS handshake completion? What is smtp_tls_loglevel set to? (It should be set to 1, and there should be a log entry from the process before the error that shows the completed handshake, agreed ciphersuite, ...) > >Wild guess: > > > > http://archives.neohapsis.com/archives/postfix/2013-10/thread.html#289 > > I tried to make use of "smtp_tls_exclude_ciphers = DES-CBC3-SHA" > > and got TLS failure and the message sent in plain wire (I belive): > > Oct 21 21:43:41 box postfix/smtp[20925]: > SSL_connect error to mail.co.inbox.lv[195.13.218.205]:25: lost connection > Oct 21 21:43:41 box postfix/smtp[20925]: 7613D12402F: > Cannot start TLS: handshake failure > Oct 21 21:43:41 box postfix/smtp[20925]: 7613D12402F: > to=<s...@co.inbox.lv>, relay=mail.co.inbox.lv[195.13.218.205]:25, > delay=0.38, delays=0.01/0.01/0.02/0.35, dsn=2.6.0, status=sent > (250 2.6.0 <526575df.8070...@sad.lv> Queued mail for delivery) > Oct 21 21:43:41 got postfix/qmgr[20393]: 7613D12402F: removed Yes, this went out via plaintext. Do your settings permit RC4-SHA, or have you configured only high-grade ciphers? Please resist the temptation to over-summarize the logs. Was there any other logging from process 20925 related to this delivery? > I tried openssl s_client -connect mail.co.inbox.lv:25 -starttls smtp -tls1_2: > 2714154632:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version > number:s3_pkt.c:337: This is not useful. > Moreover i tried > smtp_tls_policy_maps = hash:/etc/postfix/tls_map with > > # cat /etc/postfix/tls_map > [mail.co.inbox.lv]:25 secure ciphers=medium exclude=3DES > > with no luck. Did you forget "postmap"? I would keep the protocols=!TLSv1.2 in place, with servers this broken TLSv1.2 is likely to add to your troubles. > Oct 21 22:13:32 box postfix/smtp[24060]: warning: TLS library > problem: 24060:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong > version number:s3_pkt.c:337: > Oct 21 22:13:32 box postfix/smtp[24060]: D912212402E: > to=<s...@co.inbox.lv>, relay=mail.co.inbox.lv[195.13.218.205]:25, > delay=0.04, delays=0/0.01/0.02/0, dsn=4.4.2, status=deferred (lost > connection with mail.co.inbox.lv[195.13.218.205] while sending MAIL > FROM) Once again after the handshake completes. When I try: $ posttls-finger -t30 -T 180 -c -Ldebug "[mail.co.inbox.lv]" posttls-finger: initializing the client-side TLS engine posttls-finger: Connected to mail.co.inbox.lv[195.13.218.205]:25 posttls-finger: setting up TLS connection to mail.co.inbox.lv[195.13.218.205]:25 posttls-finger: mail.co.inbox.lv[195.13.218.205]:25: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL" posttls-finger: SSL_connect:before/connect initialization posttls-finger: SSL_connect:SSLv2/v3 write client hello A posttls-finger: SSL_connect:SSLv3 read server hello A posttls-finger: mail.co.inbox.lv[195.13.218.205]:25: depth=0 verify=0 subject=/C=LV/ST=VIDZEME/L=RIGA/O=SIA INBOKSS/CN=office.co.inbox.lv/emailAddress=adm...@co.inbox.lv posttls-finger: mail.co.inbox.lv[195.13.218.205]:25: depth=0 verify=0 subject=/C=LV/ST=VIDZEME/L=RIGA/O=SIA INBOKSS/CN=office.co.inbox.lv/emailAddress=adm...@co.inbox.lv posttls-finger: mail.co.inbox.lv[195.13.218.205]:25: depth=0 verify=0 subject=/C=LV/ST=VIDZEME/L=RIGA/O=SIA INBOKSS/CN=office.co.inbox.lv/emailAddress=adm...@co.inbox.lv posttls-finger: SSL_connect:SSLv3 read server certificate A posttls-finger: SSL_connect:SSLv3 read server done A posttls-finger: SSL_connect:SSLv3 write client key exchange A posttls-finger: SSL_connect:SSLv3 write change cipher spec A posttls-finger: SSL_connect:SSLv3 write finished A posttls-finger: SSL_connect:SSLv3 flush data posttls-finger: SSL_connect:SSLv3 read finished A posttls-finger: certificate verification failed for mail.co.inbox.lv[195.13.218.205]:25: untrusted issuer /C=LV/ST=VIDZEME/O=SIA INBOKSS/CN=*.inbox.lv/emailAddress=adm...@co.inbox.lv posttls-finger: mail.co.inbox.lv[195.13.218.205]:25: subject_CN=office.co.inbox.lv, issuer_CN=*.inbox.lv, fingerprint=F6:57:C5:1E:51:82:15:E6:2B:E5:D7:A2:2C:1E:91:27:C5:B5:40:02, pkey_fingerprint=C4:B4:12:4B:0F:1A:53:35:6B:27:70:D5:60:19:16:0B:66:48:B4:DD posttls-finger: Untrusted TLS connection established to mail.co.inbox.lv[195.13.218.205]:25: TLSv1.1 with cipher RC4-MD5 (128/128 bits) I get RC4-MD5, which is likely the only working ciphersuite on this server. Make sure your smtp_tls_loglevel=1, and report the "TLS connection established" log entries. When I set the ciphers to "high" for this destination, I get: ... posttls-finger: Untrusted TLS connection established to mail.co.inbox.lv[195.13.218.205]:25: TLSv1 with cipher DES-CBC3-SHA (168/168 bits) posttls-finger: SSL3 alert write:fatal:protocol version posttls-finger: warning: TLS library problem: 28603:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/home/builds/ab/HEAD/src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c:339: posttls-finger: warning: lost connection while sending QUIT command So this is definitely a version of the broken Windows TLS ciphersuite problem. If you must use TLS with this server, disable TLSv1.2 and 3DES, allow medium grade ciphers (i.e. RC4) and make sure your policy tables, ... are postmapped. Do tell the remote site administrator their server is a mess. -- Viktor.
